I am so excited about this evening! After a long wait, I am going to the new James Bond 007 movie, No Time to Die! I am making it a big deal. A group of 12 of us are going to the nice Silverspot Cinema that is amazing, with an incredible lounge area. I am dressing up in my black tuxedo, my wife is going to wear an evening gown and be a Bond girl (her choice for those that don’t like the stereotype). We are going to get a vodka martini in the lounge before the movie and enjoy the film. It is going to be a lot of fun, I wish each of you could be there with us.
James Bond is all about risk management. Situational awareness of opportunity, uncertainty, and hazards. He understands and interprets everything around him to leverage and use to his advantage.
Today’s organizations need James Bond risk situational awareness. Risk situational awareness is the perception of the details and events around us and the interpretation of how they can or will impact us to determine our course of action. James Bond looks at the big picture and sees all the details. Situational awareness is needed across the organization because of the complexity and intricacies of risk management.
Let’s step back and look at what risk management is. If we use the ISO 31000 definition of risk: Risk is the effect of uncertainty on objectives. Risk management starts with understanding the objectives. What is James Bond’s objective? What can help him in achieving those objectives? What can hinder him from achieving those objectives? What is he confident in? what is he uncertain of?
The same questions and thought processes can be asked of the organization in its objectives. In the business world, we have all sorts of objectives. They can be strategic entity-level objectives for profit, growth, expansion. They could be a division or department objectives. They can then drill into the process, project, or even asset-level objectives. We need to understand and manage risk (uncertainty) in achieving those objectives.
The business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect,’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades and influences what ends up being a significant issue. Change in one area has cascading effects that impact the entire ecosystem. Dissociated risk information leaves the organization with fragments of truth that fail to see the big picture of performance, objectives, and risk/uncertainty across the enterprise. The organization has to have holistic visibility and 360° risk situational awareness into risk.
Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential, and a sometimes chaotic, relationship and impact in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, the effect is proportional with cause, in the non-linear world of business, risks are exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk in the non-linear world of business, the result is often exponential to unpredictable.
Situational risk awareness enables the organization to understand performance in the context of risk. It can weigh multiple inputs from both internal and external contexts, and use a variety of methods to analyze risk and provide qualitative and quantitative modeling.
Organizations striving to improve their GRC management capability and maturity in their organization will find they are more:
- Aware. They have a finger on the pulse of the business and watch for a change in the internal and external environments that introduce risk to objectives. Key to this is the ability to turn data into information that can be, and is, analyzed and shareable in every relevant direction.
- Aligned. They align performance, risk management, and compliance to support and inform business objectives. This requires continuously aligning objectives and operations of the integrated risk capability to those of the entity and giving strategic consideration to information from the risk management capability to affect appropriate change.
- Responsive. Organizations cannot react to something they do not sense. Mature risk management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to uncover what an organization needs to know to make the right decisions.
- Agile. Stakeholders desire the organization to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organization is headed in the wrong direction. Risk management enables decisions and actions that are quick, coordinated, and well thought out. Agility allows an entity to use risk to its advantage, grasp strategic opportunities, and be confident in its ability to stay on course.
- Resilient. The best-laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They need sufficient tolerances to allow for some missteps and have the confidence necessary to adapt and respond to opportunities rapidly.
- Efficient. They build business muscle and trim the fat to rid expense from unnecessary duplication, redundancy, and misallocation of resources; to make the organization leaner overall with enhanced GRC capability and related decisions about the application of resources.
Find more from Michael Rassmussen at GRC 20/20 Research here.